TREA

Identifying automated responses to security threats based on communication interactions content

Follow

Information

  • Patent Grant
  • 11870802
  • Patent Number
    11,870,802
  • Date Filed
    Thursday, March 31, 2022
    3 years ago
  • Date Issued
    Tuesday, January 9, 2024
    a year ago
Information
Abstract
Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.
Description
TECHNICAL FIELD

Aspects of the disclosure are related to computing environment security, and in particular to implementing responses to security threats based on related communication interactions.


TECHNICAL BACKGROUND

An increasing number of data security threats exist in the modern computerized society. These threats may include viruses or other malware that attacks the local computer of the end user, or sophisticated cyber-attacks to gather data and other information from the cloud or server based infrastructure. This server based infrastructure includes real and virtual computing devices that are used to provide a variety of services to user computing systems, such as data storage, cloud processing, web sites and services, amongst other possible services. To protect applications and services, various antivirus, encryption, and firewall implementations may be used across an array of operating systems, such as Linux and Microsoft Windows.


Further, some computing environments may implement security information and event management (STEM) systems and other security detection systems to provide analysis of security alerts generated by network hardware and applications. In particular, SIEM systems allow for real-time monitoring, correlation of events, notifications, and console views for end users. Further, STEM systems may provide storage logs capable of managing historical information about various security events within the network. Although SIEMs and other security identifying systems may generate security alerts for devices within the network, administrators may be forced to identify background information about each of the threats, and translate the gathered information into security actions. Thus, time and resources that could be used on other tasks may be used in researching and determining an appropriate course of action to handle a security threat.


OVERVIEW

The technology disclosed herein enhances how security threats are processed within a computing environment. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and obtaining related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.





BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the disclosure can be better understood with reference to the following drawings. While several implementations are described in connection with these drawings, the disclosure is not limited to the implementations disclosed herein. On the contrary, the intent is to cover all alternatives, modifications, and equivalents.



FIG. 1 illustrates a computing environment to manage and implement security actions.



FIG. 2 illustrates a method of operating an advisement system to generate responses to a security threats based on communication information.



FIG. 3 illustrates an operational scenario for identifying security actions in response to a security threat.



FIG. 4 illustrates an advisement computing system for providing security actions in response to security threats.





TECHNICAL DISCLOSURE

The various examples disclosed herein provide for generating responses to security threats based on communication interactions related to the security threat. In many situations, organizations may employ a variety of computing assets, which may include various hardware and processes. During the operation of the hardware and process, security incidents or threats may occur, which inhibit the operation of the assets and the environment as a whole. To take actions against the security threats, an advisement system may be coupled to the computing environment, which is capable of identifying security threats within the environment and taking actions against the identified threats.


In particular, the advisement system may obtain reports of security threats from users of computing assets in the computing environment, security information and event management (SIEM) system reports of threats in the computing environment, computing asset reports of threats in the computing environment, or any other similar reports of security threats. In response to a security threat, the advisement system may gather supplemental information about the threat to determine the functionality and severity that the threat poses to the environment. For example, the advisement system may query internal and external databases and websites to determine what type and how severe the security threat is to the organization's assets.


Further, in some implementations, the advisement system may identify related communication interactions to assist in identifying the threat and the appropriate response to the threat. These related communication interactions may comprise email interactions, instant message interactions, downloads, or any other similar communication interaction. To identify the related interactions, the advisement system may obtain descriptor characteristics or information for the particular threat. For example, if a threat were reported to the advisement system about a suspicious email received on a first computing asset, the advisement system may determine an internet protocol (IP) address for the threat, a domain name or uniform resource identifier (URL) for the threat, a user name associated with the threat, or any other similar information. Once the characteristics are received, the device may then identify communications within the organization that correspond to the characteristics. Accordingly, if a plurality of computing assets received the same email, the advisement system may be able to identify that the email is part of a spear-phishing campaign that attempts to gather sensitive information from users within the organization.


Upon identifying the related communications within the environment, the advisement system may generate a response to the security threat based on the related communication interactions. In some implementations, the advisement system may be configured to automate a response to the security threat. Referring to the example of the spear-phishing campaign, the advisement system may automate a process to block future emails from the malicious IP address. In addition to or in place of the automated response, the advisement system may further determine suggested actions that can be provided to an administrator of the environment. Once provided to the administrator, the administrator may select an action to be implemented, which will then be applied by the advisement system to the required assets of the environment.


In at least one example, the advisement system may be configured with connectors or software modules that can be used to automate the implementation of security actions within computing environment. As described herein, computing environments may include a plurality of computing assets with varying hardware and software configurations. Accordingly, the connectors may be used to take a unified command, and translate the command to the required processes to implement a security action. Accordingly, if an action is to be implemented across multiple assets with different firewall configurations, the advisement system may use the appropriate connector and processes to implement the desired modification for each firewall.


To further illustrate the operation of an advisement system within a computing network, FIG. 1 is provided. FIG. 1 illustrates a computing environment 100 to manage and implement security actions. Computing environment 100 includes computing assets 110-116, SIEM system 120, advisement system 130, sources 140, and administration console 150. Computing assets 110-116 include applications 110, routers 111, intrusion detection systems and intrusion prevention system (IDS/IDP) 112, virtual private networks (VPNs) 113, firewalls 114, switches 115, and operating systems 116, although other assets may exist. Assets 110-116 may execute via any number of computing systems or devices. In addition to the routers and switches, these computing devices may include server computers, desktop computers, laptop computers, tablet computers, and the like. Although not illustrated in the present example, in some implementations, assets may be defined at computing system level. Accordingly, assets may be defined as physical computing systems, such as servers, end user computing systems, host computing systems, and the like, and may further be defined as virtual computing systems, such as virtual machines executing via host computing systems. These physical and virtual computing systems may include an operating system, applications, processes, firewalls, and other similar computing resources.


SIEM system 120, advisement system 130, internal and external sources 140, and administration console 150 may each include communication interfaces, network interfaces, processing systems, computer systems, microprocessors, storage systems, storage media, or some other processing devices or software systems, and can be distributed among multiple devices. STEM system 120, advisement system 130, and sources 140 may comprise one or more server, desktop, laptop, or other similar computing devices. Administration console 150 may comprise an end user device, such as a desktop computer, laptop computer, smartphone, tablet, or any other similar computing device.


Advisement system 130 communicates with SIEM system 120, sources 140, and administration console 150 via communication links that may use Time Division Multiplex (TDM), asynchronous transfer mode (ATM), internet protocol (IP), Ethernet, synchronous optical networking (SONET), hybrid fiber-coax (HFC), circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. Similarly, STEM system 120 may gather information from assets 110-116 via a plurality of communication links to the computing systems associated with the assets, wherein the links may use TDM, ATM, IP, Ethernet, SONET, HFC, circuit-switched communication signaling, wireless communications, or some other communication format, including combinations and improvements thereof. While not illustrated in the present example, it should be understood that advisement system 130 might communicate with the assets over various communication links and communication formats to implement desired security actions, or to receive an incident report.


In operation, SIEM system 120 receives data and performance information from assets 110-116 and performs inspections to identify possible security threats. Once SIEM system 120 identifies a possible security threat, information about the security threat is transferred to advisement system 130. Advisement system 130 identifies the security threat and analyzes the threat to determine an appropriate action to be taken against the threat. This analyzing of the threat may include gathering descriptor information for the threat, such as IP addresses, user names, and domain names for the threat, and identifying related communication interactions based on the descriptor information. These related communications may be used to identify the severity of the threat, the identity of the threat, or any other similar information about the threat. Based on the related communication information, as well as enrichment information about the threat gathered from sources 140, security actions may be determined for the particular threat.


To further illustrate the operation of computing environment 100, FIG. 2 is provided. FIG. 2 illustrates a method 200 of operating advisement system 130 to generate responses to security threats based on communication information. In particular, as described in FIG. 1, SIEM system 120 receives information from a plurality of network assets 110-116 and identifies security threats based on the information. Once a threat is identified, the threat is transferred to advisement system 130. Advisement system 130 identifies the security threat or incident within computing environment 100 (201), and obtains descriptor information related to the security threat (202). This descriptor information is associated with identifiers for the security threat, such as usernames associated with the threat, IP addresses associated with the threat, domain names associated with the threat, or any other similar information. For example, if a threat were reported for a suspicious email, advisement system 130 may receive information regarding the domain name that the email was sent from, as well as information about the user that sent the email. This information may be received from STEM system 120 or other security monitoring systems in the environment, may be determined based on a user report of the threat, may be received from the asset associated with the threat, or may be obtained in any other similar manner.


Once the descriptor information is obtained, advisement system 130 identifies related communication interactions based on the descriptor information (203). These related communication interactions may include related email interactions, related instant messages, or any other similar message. For example, a domain name may be identified in an email associated with an identified threat. Based on the domain name, other emails to other users of assets in the environment may be flagged to determine if the particular emails correspond to a phishing scheme, or some other malicious attempt to retrieve data from users of the environment. To determine the type of threat, advisement system 130 may provide textual analysis to determine keywords or phrases within the communications to determine the type of information requested in the communication. Further, in some implementations, advisement system 130 may search and identify attachments in the communications to determine possible phishing or virus threats within the attachments.


Once the related communication interactions are identified, advisement system 130 generates a response to the security threat based on the related communications (204). In some examples, the response may be generated based on the number of identified related messages, the content of the related messages, or any other similar information associated with the messages. For instance, if a plurality of emails were delivered from the same user, wherein each of the messages included a request for personal information, the response to the threat may include blocking future emails from the identified user.


In some implementations, the response to the threat may be automated, wherein advisement system 130 may provide the required procedures to implement the action. However, in addition to or in place of the automated action, advisement system 130 may provide a list of one or more actions to administrator 160 based on the related communications. Once the actions are provided to the administrator, the administrator may select at least one desired action to be implemented within the environment. In at least one example, advisement system 130 may be configured with connectors or software modules that can be used to translate action requests into the desired procedures for various hardware and software configurations. Accordingly, if administrator 160 selected an action to be implemented across multiple devices, advisement system 130 may translate the action to required processes for each hardware and software configuration of the devices.


As illustrated in FIG. 1, advisement system 130 may further communicate with internal and external sources 140 to assist in determining a response to a security threat. In particular, sources 140, which may comprise a website, database, or some other similar source, may provide information about an identified threat. For example, if an IP address were identified as being a provider for a possible security threat, databases and websites may be queried to determine information related to the IP address. For example, a website may maintain information about whether an IP address is associated with phishing scheme, whether the IP address is associated with malicious processes, or any other information about the process.


In some implementations, advisement system 130 may use content from the related communications to search for enrichment information within sources 140. In particular, advisement system 130 may retrieve various emails, instant messaging conversations, or other similar communications related to the threat, and based on the content of the communications, retrieve enrichment information within sources 140. For instance, if related communications included a link to download a file, advisement system 130 may query sources 140 to determine information about the file, such as whether the file is malicious, and what threat it poses to the environment.


Although illustrated in FIG. 1 with a STEM system, it should be understood that in some examples other systems, such as the assets within the computing environment, might be used to identify security threats. Further, although illustrated separate in the example of FIG. 1, it should be understood that STEM system 120 might reside wholly or partially on the same computing systems as advisement system 130.


Referring now to FIG. 3, FIG. 3 illustrates an operational scenario 300 for identifying security actions in response to a security threat. Operational scenario 300 includes new incident 305, assets 310-312, email server 320, advisement system 330, and administrator 340. Assets 310-312 may comprise end user computing devices, virtual machines, server computing systems, routers, switches, or any other similar computing system or asset, including combinations thereof. Although illustrated with three assets in the present example, it should be understood that a computing environment may include any number of assets. Further, in some implementations, email server 320 may be considered a computing asset for the computing environment.


As illustrated, asset 311 encounters a possible security threat 305, which is reported to advisement system 330. This report may originate from asset 311, may originate from a user associated with asset 311, may originate from a STEM system for the environment, or may originate from any other similar security hardware or process. New threat 305 may comprise a suspicious email, a suspicious message, or any other similar communication interaction. These suspicious emails and messages may include requests for personal or sensitive information, unknown attachments, or any other similar data. In response to identifying the threat, advisement system 330 retrieves related communication information from other computing systems and assets within the environment. These related communications may possess the same source username as new threat 305, may possess the same root IP address as new threat 305, may possess the same domain name as new threat 305, or may include similar content to the content of new threat 305. In particular, as illustrated, advisement system retrieves related emails 350 from email server 320, and retrieves other related communications 351 from asset 312. Once the information is obtained from email server 320 and asset 312, advisement system 330 may determine actions based on the communication interactions.


In some implementations, to determine the security actions against new threat 305, advisement system 330 may identify actions based on the content and the number of related communications that are identified within the environment. For example, if a large number of communications are identified within the computing environment from an unknown IP address, wherein the communications ask users in the environment for personal information, such as credit card numbers, passwords, and the like, advisement system 330 may identify that the emails are related to a phishing scheme. Once the type of threat is identified, advisement system 330 may implement actions based on the type of threat that is presented in the environment.


Once the actions are selected, in some examples, advisement system 330 may be configured to implement the actions without further input from an administrator of the environment. For example, if a threat is associated with a particular IP address, advisement system 330 may initiate implementation of a firewall rule to block future communications from the IP address. In addition to or in place of the automated response from advisement system 330, advisement system 330 may be configured to provide one or more action recommendations to administrator 340. These actions may be provided via a user interface on advisement system 330 or to an administration console associated with administrator 340. Once the action recommendations are provided, the user may select or input a particular action, and advisement system may initiate implementation of the action within the environment. For example, administrator 340 may be provided with action options to block communications from a particular username, or to monitor future communications from the particular username. If the administrator selects to monitor for future communications from the username, advisement system 330 may be used to implement the necessary flags to identify communications from the desired username.


In some implementations, in addition to obtaining related communication information from various assets within the environment, advisement system 330 may use the information gathered from the assets to gather enrichment information about new threat 305. For example, advisement system 330 may obtain username, IP address, domain name, communication content, and other information about the threat from the related communications, and query internal and external sources to obtain supplemental information about the threat. Once the enrichment information is obtained, one or more actions may be defined based on the supplemental information for the presented threat. For example, a suspicious URL may be identified within a plurality of related emails. In response to identifying the URL, advisement system 330 may query a database to determine if any information is available for the URL. If the database returns that the URL is malicious, advisement system 330 may implement an action to prevent users from being able to access the URL. However, if the URL is determined not to be malicious, advisement system 330 may allow user to select the URL and monitor future communication interactions with the source of the URL.



FIG. 4 illustrates an advisement computing system 400 to provide action recommendations for a plurality of network assets. Advisement computing system 400 is representative of a computing system that may be employed in any computing apparatus, system, or device, or collections thereof, to suitably implement the advisement systems described herein. Computing system 400 comprises communication interface 401, user interface 402, and processing system 403. Processing system 403 is communicatively linked to communication interface 401 and user interface 402. Processing system 403 includes processing circuitry 405 and memory device 406 that stores operating software 407.


Communication interface 401 comprises components that communicate over communication links, such as network cards, ports, radio frequency (RF) transceivers, processing circuitry and software, or some other communication devices. Communication interface 401 may be configured to communicate over metallic, wireless, or optical links. Communication interface 401 may be configured to use TDM, IP, Ethernet, optical networking, wireless protocols, communication signaling, or some other communication format—including combinations thereof. In particular, communication interface 401 may communicate with security identification systems, such as STEM systems, security processes on the assets themselves, or some other security identification system. Further, communication interface 401 may be configured to communicate with one or more administration consoles to provide the suggested actions to administrators, and the computing assets of the environment to implement selected actions.


User interface 402 comprises components that interact with a user. User interface 402 may include a keyboard, display screen, mouse, touch pad, or some other user input/output apparatus. User interface 402 may be omitted in some examples.


Processing circuitry 405 comprises microprocessor and other circuitry that retrieves and executes operating software 407 from memory device 406. Memory device 406 comprises a non-transitory storage medium, such as a disk drive, flash drive, data storage circuitry, or some other memory apparatus. Operating software 407 comprises computer programs, firmware, or some other form of machine-readable processing instructions. Operating software 407 includes identify module 408, descriptor (descript) module 409, related module 410, and action module 411, although any number of software modules may provide the same operation. Operating software 407 may further include an operating system, utilities, drivers, network interfaces, applications, or some other type of software. When executed by circuitry 405, operating software 407 directs processing system 403 to operate advisement computing system 400 as described herein.


In particular, identify module 408 is configured to, when executed by advisement computing system 400 and processing system 403, to identify a security incident for an asset within the computing environment. This security incident may be reported by a SIEM system, a security process on a computing asset, a user within the computing environment, or any other similar security process or system. Once a threat is identified, descriptor module 409 directs processing system 403 to obtain descriptor information for the security threat. This descriptor information may include various characteristics about the threat, including any IP address associated with the threat, any domain names or URLs associated with the threat, the content of any communications related to the threat, or any other similar information. In some implementations, the descriptor information may be provided with the report of the security threat. For example, if a user provided the threat, the user may input or provide the required descriptor information. However, in other implementations, descriptor module 409 may retrieve the required information by requesting the asset associated with the incident for the required information.


Once the descriptor information is obtained, related module 410 directs processing system 403 to identify or retrieve related communication interactions based on the descriptor information. To identify this information, computing system 400 may contact various other assets, such as email servers, other user computing systems, and the like to identify communications with qualified descriptor information. For example, computing system 400 may identify a username in an email associated with the security threat. After identifying the username, computing system 400 may contact one or more other assets in the computing environment to identify other communication interactions with the same username. Once the related communication interactions are retrieved, action module 411 directs processing system 403 to generate a response to the security threat based on the related communication interactions.


In some implementations, to generate the response to the security action, computing system 400 may identify the number of communication interactions, as well as the information requested in the communication interactions to determine the appropriate action. For example, if the threat comprised an email that asked for sensitive information such as passwords and social security numbers, the action may be different than if the threat comprised unsolicited email attachments and advertisements.


In some examples, once the related communications are identified, computing system 400 may use information from the collected communications to gather enrichment information from internal and external sources. These sources, which may comprise websites or other databases, may store information about the severity and/or the complexity of the security threat presented within the environment. For example, if a URL link were provided in emails associated with a threat, a search may be performed for the URL in one or more databases to determine the security risk of the URL. Based on the risk or properties identified by the external sources, a response may be generated for the security threat.


To provide the response to the security threat, advisement computing system 400 may be configured to implement one or more actions in the environment without input from an administrator of the environment. However, in addition to or in place of the automated actions, one or more action suggestions based on the related communication interactions may be provided to an administrator either locally via user interface 402 or externally via an administration console. Once provided, the user may select or provide input to select an action to be implemented in the environment. Upon selection, advisement computing system 400 will identify the selections, and initiate implementation of the actions within the environment.


The included descriptions and figures depict specific implementations to teach those skilled in the art how to make and use the best option. For the purpose of teaching inventive principles, some conventional aspects have been simplified or omitted. Those skilled in the art will appreciate variations from these implementations that fall within the scope of the invention. Those skilled in the art will also appreciate that the features described above can be combined in various ways to form multiple implementations. As a result, the invention is not limited to the specific implementations described above, but only by the claims and their equivalents.

Claims
  • 1. A computer-implemented method comprising: obtaining, from a first computing asset of a computing environment comprising a plurality of computing assets, data indicating a security threat affecting the computing environment, wherein the data identifies a first communication interaction associated with the security threat;obtaining, from a second computing asset of the computing environment, one or more second communication interactions related to the first communication interaction, wherein the one or more second communication interactions are identified using a characteristic of the first communication interaction;receiving a request to monitor future communications associated with the characteristic of the first communication interaction;identifying a future communication associated with the characteristic of the first communication interaction;identifying an automated response based at least in part on the characteristic of the first communication interaction;translating the automated response into an action to be performed at a third computing asset involved in the first communication interaction; andcausing the third computing asset to perform the action, wherein completion of the action mitigates the security threat.
  • 2. The computer-implemented method of claim 1, wherein content of the one or more second communication interactions includes a uniform resource locator (URL).
  • 3. The computer-implemented method of claim 1, wherein the characteristic of the first communication interaction includes at least one of: a username, an Internet Protocol (IP) address, a domain name, or a type of message content.
  • 4. The computer-implemented method of claim 1, further comprising: identifying a suggested action to be implemented at the third computing asset;providing the suggested action to an administrator of the computing environment;identifying a selection of the suggested action by the administrator of the computing environment; andinitiating implementation of the suggested action.
  • 5. The computer-implemented method of claim 1, wherein the data indicating the security threat within the computing environment includes at least one of: data received from a security information and event management (SIEM) system, or a user-generated notification of the security threat affecting the computing environment.
  • 6. The computer-implemented method of claim 1, wherein the automated response is identified further based at least in part on a number of the one or more second communication interactions.
  • 7. The computer-implemented method of claim 1, further comprising: determining, based on the one or more second communication interactions, a type of the security threat; andidentifying the automated response based on determining the type of the security threat associated with the one or more second communication interactions.
  • 8. The computer-implemented method of claim 1, further comprising: determining, based on a type of content contained in the one or more second communication interactions, that the security threat involves a phishing attempt; andidentifying the automated response based on determining that the security threat involves the phishing attempt.
  • 9. The computer-implemented method of claim 1, further comprising: identifying another future communication associated with content of the one or more second communication interactions.
  • 10. The computer-implemented method of claim 1, wherein the first computing asset and the second computing asset are a same computing asset.
  • 11. The computer-implemented method of claim 1, wherein the first computing asset and the third computing asset are a same computing asset.
  • 12. The computer-implemented method of claim 1, wherein the action is specific to a hardware or software configuration of the third computing asset.
  • 13. The computer-implemented method of claim 1, wherein the automated response includes at least one of: blocking receipt of emails at the third computing asset, or blocking an internet protocol (IP) address.
  • 14. The computer-implemented method of claim 1, wherein the automated response is a first automated response, and wherein the method further comprises: determining that at least one of the one or more second communication interactions includes a link to download a file;determining that the file is malicious; andinitiating a second automated response in the computing environment based on determining that the file is malicious.
  • 15. A computing device, comprising: a processor; anda non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to perform operations including: obtaining, from a first computing asset of a computing environment comprising a plurality of computing assets, data indicating a security threat affecting the computing environment, wherein the data identifies a first communication interaction associated with the security threat;obtaining, from a second computing asset of the computing environment, one or more second communication interactions related to the first communication interaction, wherein the one or more second communication interactions are identified using a characteristic of the first communication interaction;receiving a request to monitor future communications associated with the characteristic of the first communication interaction;identifying a future communication associated with the characteristic of the first communication interaction;identifying an automated response based at least in part on the characteristic of the first communication interaction;translating the automated response into an action to be performed at a third computing asset involved in the first communication interaction; andcausing the third computing asset to perform the action, wherein completion of the action mitigates the security threat.
  • 16. The computing device of claim 15, wherein content of the one or more second communication interactions includes a uniform resource locator (URL).
  • 17. The computing device of claim 15, wherein the characteristic of the first communication interaction includes at least one of: a username, an Internet Protocol (IP) address, a domain name, or a type of message content.
  • 18. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to perform operations including: obtaining, from a first computing asset of a computing environment comprising a plurality of computing assets, data indicating a security threat affecting the computing environment, wherein the data identifies a first communication interaction associated with the security threat;obtaining, from a second computing asset of the computing environment, one or more second communication interactions related to the first communication interaction, wherein the one or more second communication interactions are identified using a characteristic of the first communication interaction;receiving a request to monitor future communications associated with the characteristic of the first communication interaction;identifying a future communication associated with the characteristic of the first communication interaction;identifying an automated response based at least in part on the characteristic of the first communication interaction;translating the automated response into an action to be performed at a third computing asset involved in the first communication interaction; andcausing the third computing asset to perform the action, wherein completion of the action mitigates the security threat.
  • 19. The non-transitory computer-readable medium of claim 18, wherein content of the one or more second communication interactions includes a uniform resource locator (URL).
  • 20. The non-transitory computer-readable medium of claim 18, wherein the characteristic of the first communication interaction includes at least one of: a username, an Internet Protocol (IP) address, a domain name, or a type of message content.
RELATED APPLICATIONS

This application claims benefit under 35 U.S.C. § 120 as a continuation of U.S. application Ser. No. 17/033,146, filed Sep. 25, 2020, which is a continuation of Ser. No. 14/868,553, filed Sep. 29, 2015, issued as U.S. Pat. No. 10,834,120, which application is related to and claims priority to U.S. Provisional Patent Application No. 62/087,025, entitled “ACTION RECOMMENDATIONS FOR COMPUTING ASSETS BASED ON ENRICHMENT INFORMATION,” filed on Dec. 3, 2014, U.S. Provisional Patent Application No. 62/106,830, entitled “ACTION RECOMMENDATIONS FOR ADMINISTRATORS IN A COMPUTING ENVIRONMENT,” filed on Jan. 23, 2015, and U.S. Provisional Patent Application No. 62/106,837, entitled “SECURITY ACTIONS IN A COMPUTING ENVIRONMENT,” filed on Jan. 23, 2015, all of which are hereby incorporated by reference in their entirety.

US Referenced Citations (167)
Number Name Date Kind
6405318 Rowland Jun 2002 B1
7076803 Bruton et al. Jul 2006 B2
7127743 Khanolkar et al. Oct 2006 B1
7174566 Yadav Feb 2007 B2
7469301 Daniell et al. Dec 2008 B2
7617533 Hernacki Nov 2009 B1
7657927 Tajalli et al. Feb 2010 B2
7900259 Jeschke et al. Mar 2011 B2
7950056 Satish et al. May 2011 B1
8042171 Nordstrom et al. Oct 2011 B1
8103875 Ramzan et al. Jan 2012 B1
8146147 Litvin et al. Mar 2012 B2
8185953 Rothstein et al. May 2012 B2
8261317 Litvin et al. Sep 2012 B2
8271642 Sankararaman et al. Sep 2012 B1
8291495 Burns et al. Oct 2012 B1
8336094 Litvin et al. Dec 2012 B2
8380828 Schlichter et al. Feb 2013 B1
8402540 Kapoor et al. Mar 2013 B2
8484338 Paster Jul 2013 B2
8516575 Burnside et al. Aug 2013 B2
8590035 Aaron Nov 2013 B2
8627466 Fisher et al. Jan 2014 B2
8676970 Boyns et al. Mar 2014 B2
8756697 Ocepek et al. Jun 2014 B2
8856910 Rostami-Hesarsorkh et al. Oct 2014 B1
8881282 Aziz et al. Nov 2014 B1
8914878 Burns et al. Dec 2014 B2
8924469 Raleigh et al. Dec 2014 B2
8943123 Miyazaki et al. Jan 2015 B2
8949931 Ermagan et al. Feb 2015 B2
8955107 Eyada Feb 2015 B2
9009814 Wertz et al. Apr 2015 B1
9009824 Chen et al. Apr 2015 B1
9049226 Duane Jun 2015 B1
9137258 Haugsnes Sep 2015 B2
9166995 Roundy Oct 2015 B1
9231964 Cross et al. Jan 2016 B2
9256739 Roundy et al. Feb 2016 B1
9258319 Rubin Feb 2016 B1
9306965 Grossman et al. Apr 2016 B1
9311479 Manni et al. Apr 2016 B1
9313211 Lototskiy Apr 2016 B1
9325733 Kolman et al. Apr 2016 B1
9336385 Spencer et al. May 2016 B1
9338181 Burns et al. May 2016 B1
9344445 Burns et al. May 2016 B2
9378361 Yen et al. Jun 2016 B1
9396592 Chapman et al. Jul 2016 B2
9489516 Lu et al. Nov 2016 B1
9680846 Haugsnes Jun 2017 B2
9712555 Satish et al. Jul 2017 B2
9729572 Adams et al. Aug 2017 B1
9762607 Satish et al. Sep 2017 B2
9871818 Satish et al. Jan 2018 B2
9954888 Satish et al. Apr 2018 B2
10158663 Satish et al. Dec 2018 B2
10257227 Stickle et al. Apr 2019 B1
10412117 Forte Sep 2019 B2
10425440 Satish et al. Sep 2019 B2
10425441 Satish et al. Sep 2019 B2
10476905 Satish et al. Nov 2019 B2
10862905 Zettel, II Dec 2020 B2
10986120 Satish et al. Apr 2021 B2
11019092 Satish et al. May 2021 B2
11019093 Satish et al. May 2021 B2
11165812 Satish et al. Nov 2021 B2
20040003286 Kaler et al. Jan 2004 A1
20040054498 Shipp Mar 2004 A1
20040111637 Baffes et al. Jun 2004 A1
20040250133 Lim Dec 2004 A1
20050055578 Wright et al. Mar 2005 A1
20050216956 Orr et al. Sep 2005 A1
20050235360 Pearson Oct 2005 A1
20050273857 Freund Dec 2005 A1
20060010493 Piesco et al. Jan 2006 A1
20060048209 Shelest et al. Mar 2006 A1
20060059568 Smith-Mickelson et al. Mar 2006 A1
20060095965 Phillips et al. May 2006 A1
20060117386 Gupta et al. Jun 2006 A1
20060174342 Zaheer et al. Aug 2006 A1
20070168874 Kloeffer et al. Jul 2007 A1
20070169194 Church et al. Jul 2007 A1
20070180490 Renzi et al. Aug 2007 A1
20070255724 Jung et al. Nov 2007 A1
20080005782 Aziz Jan 2008 A1
20080082662 Dandliker et al. Apr 2008 A1
20080289028 Jansen et al. Nov 2008 A1
20090037548 Ordille et al. Feb 2009 A1
20090044277 Aaron Feb 2009 A1
20090165132 Jain et al. Jun 2009 A1
20100100962 Boren Apr 2010 A1
20100162347 Barile Jun 2010 A1
20100169973 Kim et al. Jul 2010 A1
20100251329 Wei Sep 2010 A1
20100281539 Burns et al. Nov 2010 A1
20100319004 Hudson et al. Dec 2010 A1
20100319069 Granstedt et al. Dec 2010 A1
20100325412 Norrman et al. Dec 2010 A1
20100325685 Sanbower Dec 2010 A1
20110161452 Poornachandran et al. Jun 2011 A1
20110238979 Harp et al. Sep 2011 A1
20120210434 Curtis et al. Aug 2012 A1
20120224057 Gill et al. Sep 2012 A1
20120311121 Shafrir et al. Dec 2012 A1
20120331553 Aziz et al. Dec 2012 A1
20130007882 Devarajan et al. Jan 2013 A1
20130081138 Rados et al. Mar 2013 A1
20130081141 Anurag Mar 2013 A1
20130091584 Liebmann et al. Apr 2013 A1
20130104203 Davis et al. Apr 2013 A1
20130111592 Zhu May 2013 A1
20130276108 Blackwell Oct 2013 A1
20130291106 Simonoff et al. Oct 2013 A1
20130298230 Kumar et al. Nov 2013 A1
20130298244 Kumar et al. Nov 2013 A1
20130312092 Parker Nov 2013 A1
20130333032 Delatorre et al. Dec 2013 A1
20140007222 Qureshi et al. Jan 2014 A1
20140013107 Clair Jan 2014 A1
20140059641 Chapman et al. Feb 2014 A1
20140082726 Dreller et al. Mar 2014 A1
20140089039 McClellan Mar 2014 A1
20140137257 Martinez et al. May 2014 A1
20140165200 Singla Jun 2014 A1
20140165207 Engel et al. Jun 2014 A1
20140199663 Sadeh-Koniecpol et al. Jul 2014 A1
20140237599 Gertner et al. Aug 2014 A1
20140245374 Deerman et al. Aug 2014 A1
20140259170 Amsler Sep 2014 A1
20140283049 Shnowske et al. Sep 2014 A1
20140310811 Hentunen Oct 2014 A1
20140344926 Cunningham et al. Nov 2014 A1
20140351441 Madani et al. Nov 2014 A1
20140351940 Loder et al. Nov 2014 A1
20150040217 Abuelsaad et al. Feb 2015 A1
20150143516 Sharpe et al. May 2015 A1
20150207813 Reybok et al. Jul 2015 A1
20150215325 Ogawa Jul 2015 A1
20150222647 Lietz et al. Aug 2015 A1
20150222656 Haugsnes Aug 2015 A1
20150264077 Berger et al. Sep 2015 A1
20150304169 Milman et al. Oct 2015 A1
20150334132 Zombik et al. Nov 2015 A1
20150341384 Mandayam et al. Nov 2015 A1
20150347751 Card et al. Dec 2015 A1
20150347949 Dwyer et al. Dec 2015 A1
20150365438 Carver Dec 2015 A1
20150381641 Cabrera et al. Dec 2015 A1
20150381649 Schultz et al. Dec 2015 A1
20160006749 Cohen et al. Jan 2016 A1
20160044058 Schlauder Feb 2016 A1
20160065608 Futty Mar 2016 A1
20160072836 Hadden et al. Mar 2016 A1
20160103992 Roundy et al. Apr 2016 A1
20160119379 Nadkarni Apr 2016 A1
20160164893 Levi Jun 2016 A1
20160164916 Satish et al. Jun 2016 A1
20160164917 Friedrichs et al. Jun 2016 A1
20160241580 Watters et al. Aug 2016 A1
20160241581 Watters et al. Aug 2016 A1
20170214702 Moscovici et al. Jul 2017 A1
20170230412 Thomas et al. Aug 2017 A1
20170237762 Ogawa Aug 2017 A1
20180255073 Sifford Sep 2018 A1
20200396237 Cohen et al. Dec 2020 A1
20220060508 Crabtree Feb 2022 A1
Non-Patent Literature Citations (94)
Entry
Final Office Action, U.S. Appl. No. 17/185,612, dated Mar. 28, 2023, 7 pages.
Final Office Action, U.S. Appl. No. 17/326,070, dated Jan. 19, 2023, 19 pages.
Non-Final Office Action, U.S. App. No. 17/242, 165, dated Jan. 25, 2023, 15 pages.
Non-Final Office Action, U.S. Appl. No. 17/513,595, dated Dec. 30, 2022, 15 pages.
Notice of Allowance, U.S. Appl. No. 16/863,557, dated Jan. 12, 2023, 6 pages.
Notice of Allowance, U.S. Appl. No. 17/104,537, dated Feb. 1, 2023, 10 pages.
Notice of Allowance, U.S. Appl. No. 17/306,703, dated Jan. 11, 2023, 7 pages.
Aguirre, Idoia; Alonso, Sergio; “Improving the Automation of Security Information Management: A Collaborative Approach”, IEEE Security & Privacy, vol. 10, Issue 1, Oct. 25, 2011, pp. 55-59.
Final Office Action from U S. U.S. Appl. No. 14/677,493, dated Aug. 24, 2017, 29 pages.
Final Office Action from U.S. Appl. No. 14/674,679, dated Sep. 22, 2016, 19 pages.
Final Office Action from U.S. Appl. No. 14/677,493, dated Nov. 25, 2016, 23 pages.
Final Office Action from U.S. Appl. No. 14/677,493, dated Nov. 13, 2018, 20 pages.
Final Office Action from U.S. Appl. No. 14/824,262, dated Apr. 6, 2017, 22 pages.
Final Office Action from U.S. Appl. No. 14/868,553, dated Oct. 15, 2018, 19 pages.
Final Office Action from U.S. Appl. No. 14/868,553, dated Oct. 18, 2017, 19 pages.
Final Office Action from U.S. Appl. No. 14/956,589, dated Nov. 22, 2017, 27 pages.
Final Office Action from U.S. Appl. No. 15/924,759, dated Aug. 1, 2018, 13 pages.
Final Office Action from U.S. Appl. No. 16/107,979, dated Jun. 13, 2019, 14 pages.
Final Office Action received for U.S. Appl. No. 16/182,914, dated Sep. 18, 2019, 6 pages.
Final Office Action, U.S. Appl. No. 14/675,176, dated Nov. 25, 2016, 21 pages.
Final Office Action, U.S. Appl. No. 14/675,176, dated Sep. 25, 2017, 31 pages.
Final Office Action, U.S. Appl. No. 14/677,493, dated Jan. 16, 2020, 16 pages.
Hasegawa, Hirokazu; Yamaguchi, Yukiko; Shimada, Hajime; Takakura; Hiroki; “A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks”, 38th Annual Computer Software and Applications Conference, IEEE, Jul. 21-25, 2014, pp. 400-405.
Hershey, Paul C., Ph.D.; Silio, Jr., Charles B., Ph.D.; “Procedure for Detection of and Response to Distributed Denial of Service Cyber Attacks on Complex Enterprise Systems”, International Systems Conference SysCon, IEEE, Mar. 19-22, 2012, 6 pages.
Non-Final Office Action from U.S. Appl. No. 15/886,183, dated Mar. 22, 2018, 21 pages.
Non-Final Office Action from U.S. Appl. No. 16/107,972, dated Dec. 31, 2018, 11 pages.
Non-Final Office Action from U.S. Appl. No. 16/142,913, dated Apr. 30, 2019, 33 pages.
Non-Final Office Action from U.S. Appl. No. 14/674,679, dated Jun. 2, 2016, 16 pages.
Non-Final Office Action from U.S. Appl. No. 14/675,075, dated Jul. 11, 2016, 13 pages.
Non-Final Office Action from U.S. Appl. No. 14/677,493, dated Aug. 2, 2019, 26 pages.
Non-Final Office Action from U.S. Appl. No. 14/677,493, dated Jul. 11, 2016, 17 pages.
Non-Final Office Action from U.S. Appl. No. 14/677,493, dated May 14, 2018, 23 pages.
Non-Final Office Action from U.S. Appl. No. 14/677,493, dated May 1, 2017, 25 pages.
Non-Final Office Action from U.S. Appl. No. 14/689,926, dated May 8, 2017, 34 pages.
Non-Final Office Action from U.S. Appl. No. 14/689,973, dated Jan. 25, 2017, 18 pages.
Non-Final Office Action from U.S. Appl. No. 14/824,262, dated Jul. 13, 2017, 20 pages.
Non-Final Office Action from U.S. Appl. No. 14/824,262, dated Oct. 7, 2016, 16 pages.
Non-Final Office Action from U.S. Appl. No. 14/868,553, dated Mar. 26, 2018, 22 pages.
Non-Final Office Action from U.S. Appl. No. 14/868,553, dated May 26, 2017, 16 pages.
Non-Final Office Action from U.S. Appl. No. 14/956,589, dated May 31, 2017, 33 pages.
Non-Final Office Action from U.S. Appl. No. 14/956,615, dated Jul. 28, 2017, 46 pages.
Non-Final Office Action from U.S. Appl. No. 15/699,454, dated Feb. 8, 2018, 19 pages.
Non-Final Office Action from U.S. Appl. No. 15/845,963, dated Feb. 12, 2018, 27 pages.
Non-Final Office Action from U.S. Appl. No. 15/924,759, dated Feb. 26, 2019, 20 pages.
Non-Final Office Action from U.S. Appl. No. 16/107,975, dated Jan. 4, 2019, 11 pages.
Non-Final Office Action from U.S. Appl. No. 16/107,979, dated Oct. 18, 2018, 14 pages.
Non-Final Office Action from U.S. Appl. No. 16/182,914, dated May 30, 2019, 23 pages.
Non-Final Office Action, U.S. Appl. No. 14/675,176, dated Apr. 17, 2017, 22 pages.
Non-Final Office Action, U.S. Appl. No. 14/675,176, dated Jul. 18, 2016, 18 pages.
Non-Final Office Action, U.S. Appl. No. 14/675,176, dated Jul. 14, 2020, 18 pages.
Non-Final Office Action, U.S. Appl. No. 14/677,493, dated Jul. 14, 2020, 18 pages.
Non-Final Office Action, U.S. Appl. No. 16/042,283, dated Jan. 24, 2020, 25 pages.
Non-Final Office Action, U.S. Appl. No. 16/539,918, dated Jul. 16, 2020, 14 pages.
Non-Final Office Action, US App. No. 16/568,949, dated Mar. 19, 2020, 18 pages.
Notice of Allowance from U.S. Appl. No. 14/674,679, dated Apr. 18, 2017, 20 pages.
Notice of Allowance from U.S. Appl. No. 14/689,926, dated Nov. 8, 2017, 22 pages.
Notice of Allowance from U.S. Appl. No. 14/689,973, dated Jul. 27, 2017, 33 pages.
Notice of Allowance from U.S. Appl. No. 14/824,262, dated Nov. 22, 2017, 7 pages.
Notice of Allowance from U.S. Appl. No. 14/956,589, dated Apr. 23, 2018, 21 pages.
Notice of Allowance from U.S. Appl. No. 14/956,615, dated Dec. 18, 2017, 19 pages.
Notice of Allowance from U.S. Appl. No. 15/699,454, dated Aug. 9, 2018, 11 pages.
Notice of Allowance from U.S. Appl. No. 15/845,963, dated Jun. 26, 2018, 11 pages.
Notice of Allowance from U.S. Appl. No. 15/886,183, dated Sep. 19, 2018, 9 pages.
Notice of Allowance from U.S. Appl. No. 15/924,759, dated Jun. 13, 2019, 21 pages.
Notice of Allowance from U.S. Appl. No. 16/107,972, dated May 9, 2019, 18 pages.
Notice of Allowance from U.S. Appl. No. 16/107,975, dated May 13, 2019, 18 pages.
Notice of Allowance, U.S. Appl. No. 14/674,679, dated Jun. 20, 2017, 5 pages.
Notice of Allowance, U.S. Appl. No. 14/674,679, dated May 12, 2017, 4 pages.
Notice of Allowance, U.S. Appl. No. 14/675,176, dated Dec. 30, 2019, 6 pages.
Notice of Allowance, U.S. Appl. No. 14/689,926, dated Dec. 20, 2017, 6 pages.
Notice of Allowance, U.S. Appl. No. 14/689,973, dated Aug. 10, 2017, 6 pages.
Notice of Allowance, U.S. Appl. No. 14/824,262, dated Jan. 5, 2018, 4 pages.
Notice of Allowance, U.S. Appl. No. 14/868,553, dated Jun. 26, 2020, 8 pages.
Notice of Allowance, U.S. Appl. No. 15/699,454, dated Nov. 20, 2018, 6 pages.
Notice of Allowance, U.S. Appl. No. 16/042,283, dated Jul. 28, 2020, 17 pages.
Notice of Allowance, U.S. Appl. No. 16/107,979, dated Oct. 7, 2019, 14 pages.
Notice of Allowance, U.S. Appl. No. 16/142,913, dated Aug. 30, 2019, 21 pages.
Notice of Allowance, U.S. Appl. No. 16/182,914, dated Dec. 4, 2019, 5 pages.
Notice of Allowance, U.S. Appl. No. 16/182,914, dated Mar. 6, 2020, 2 pages.
Notice of Allowance, U.S. Appl. No. 17/033,146, dated Jan. 10, 2022, 10 pages.
Paudice, Andrea; Sarkar; Santonu; Cotroneo, Dominco; “An Experiment with Conceptual Clustering for the Analysis of Security Alerts”, IEEE International Symposium on Software Reliability Engineering Workshops, Nov. 3-6, 2014, pp. 335-340.
Tejay, Gurvirender P.S.; Zadig, Sean M.; “Investigating the Effectiveness of IS Security Countermeasures Towards Cyber Attacker Deterrence”, 45th Hawaii International Conference on System Sciences, IEEE, Jan. 4-7, 2012, pp. 3051-3060.
Final Office Action from U.S. Appl. No. 14/677,493, dated Aug. 24, 2017, 29 pages.
Non-Final Office Action, U.S. Appl. No. 16/863,557, dated Nov. 24, 2021, 17 pages.
Non-Final Office Action, U.S. Appl. No. 14/677,493, dated May 1, 2017, 25 pages.
Non-Final Office Action, U.S. Appl. No. 17/185,612, dated Sep. 16, 2022, 10 pages.
Non-Final Office Action, U.S. Appl. No. 17/306,703, dated Sep. 9, 2022, 15 pages.
Final Office Action, U.S. Appl. No. 16/863,557, dated Apr. 7, 2022, 18 pages.
Non-Final Office Action, U.S. Appl. No. 16/863,557, dated Aug. 25, 2022, 18 pages.
Non-Final Office Action, U.S. Appl. No. 17/104,537, dated Jul. 20, 2022, 16 pages.
Non-Final Office Action, U.S. Appl. No. 17/326,070, dated Aug. 16, 2022, 20 pages.
Non-Final Office Action, U.S. Appl. No. 17/326,070, dated Jun. 7, 2023, 20 pages.
Notice of Allowance, U.S. Appl. No. 17/513,595, dated Jul. 7, 2023, 7 pages.
Notice of Allowance, U.S. Appl. No. 17/326,070, dated Sep. 20, 2023, 7 pages.
Provisional Applications (3)
Number Date Country
62106837 Jan 2015 US
62106830 Jan 2015 US
62087025 Dec 2014 US
Continuations (2)
Number Date Country
Parent 17033146 Sep 2020 US
Child 17710523 US
Parent 14868553 Sep 2015 US
Child 17033146 US